A completely hands on session on integrating OWASP ESAPI to a sample web application
For further details and Registration/RSVP please visit the following URL:
null Bangalore Bachaav Session | OWASP ESAPI Java Security | 12th July 2014
Champion : Satish Profile | http://swachalit.null.co.in/event_sessions/30-satish
The following topics will be covered:
- Three faces of web security
- Eclipse basics
- Installing/configuring Tomcat application server
- Plug-ing in Tomcat application server to Eclipse
- Developing sample web application in JSP (login page, registration page)
- Integrating ESAPI into the web application
- Using “ESAPI Encoding api ” in the code and testing
- Using “ESAPI Data validation api” in the code and testing
- Testing XSS with and without ESAPI
- Testing SQL Injection with and without ESAPI
- Testing Log forging with and without ESAPI
Information and Instructions
- This is a completely free but invite only event.
- You require prior invitation to be able to attend this event.
- To get an invite, these are roughly the steps you need to follow
- Register on the swachalit portal
- Register for the event on the portal
- If required fill more details on a Google Form. You need to submit both the Google Form and the registration form to be eligible for an invitation.
- Invites to the event are at the discretion of the Bachaav Champion.
- The Bachaav Champion wants to cover a certain training in a fixed time. This means they choose which of the applicant are likely to gain the most and derive most value from the event.
- Registrations are not transferable.
- If you have been selected but are unable to attend, please inform us.
- Your seat would be allotted to someone from the waiting list.
- Walk-in participants are not allowed to attend any invite only session
More information about null Bachaav Hands-On Workshops
Announcing null Bachaav session “Code Review“. Like all null Bangalore Bachaav sessions, this is free but registration is compulsory. A group of participants will be selected based on the registrations since Bachaav is invite only and with prior registration and approval of the Bachaav champion. Here are the details:
Bachaav Title: Code Review
Bachaav Champion: Sandesh Anand
When: 5th July 2014, 10 AM – 6 PM
Registration Link: http://swachalit.null.co.in/events/12-code-review/event_registrations/new
Bachaav Description: This will be a completely hands on session on Code Review. The following topics will be covered:
- Introduction to code review
- Basics of J2EE
- Setting up the “test” application in Eclipse
- Wallkthrough installed Eclipse plugins
- Manual verification of security controls – Authentication, Authorization, Input handling, Encryption etc.
- Scripting to help manual review
- Running a scan using open source tools (e.g.: Findbugs)
- Primer to data flow analysis – How this effects code review
- Fixing issues: This includes:
- How to provide recommendation advice
- How to validate fixes
- Applying a couple of fixes from the code reviewed
Note: Please make sure all the pre-requisites are up and running before the session starts. If you are facing any issues with setup, please try to come to the venue 30 mins before the session starts and get them fixed.
- 6 months-1year minimum coding experience (any OOP will do, preferably J2EE)
- Basic Application Security knowledge (OWASP Top 10 etc)
- Basic understanding of Cryptography (e.g.: difference between hashing and encryption)
- Hardware requirements: Any operating system which can install Eclipse
- Software requirements: 1. Eclipse IDE 2. Latest version of JDK
Registrations are not transferable. If you have been selected but are unable to attend, please inform the organizers. Your seat would be allotted to someone from the waiting list. Walk-in participants will not be allowed to attend this session.
[The bachaav session has beeen postponed to 9th March 2014 – Sunday]
The other details remain the same …… Sorry for the inconvinience caused
We are glad to announce Pune’s very first “Bachaav” session. A Bachaav (in hindi for ‘ To secure’) session is where we concentrate on defending assets in this case Java based applications.
We would recommend Java developers to attend this session and others are welcome too:)
[Please Note : This is an Invite-only session. We would select 30 registrants based on the forms they fill. The registration will close on 5th March – Wednesday (IST 21:59) and the selected registrants would receive a confirmation thereafter. ]
Below are the details for the Bachaav session.
Bachav Title : Secure Coding with Java.
Bachav Champion : Abhi Nigam
Short Bio : Abhi is a Software Developer working with Cybage Software Pvt. Ltd. . He is linked with BFSI domain where secure coding is a mandatory pre-requisite. He is currently working on a project which provides Commercial lending feature to US Bank and JP Morgan Chase. He is currently associated with two open source projects also, which he is developing with his friends.
When : 9th March 2014
Time : 11 am – 4 pm.
Registration: http://goo.gl/WtRA4a (Only 30 seats so please hurry)
Pre-Requisites :- Must have at-least a little understanding of Java(or Object Oriented Programming). Please bring your own laptop with a pre-installation of JRE and JDK1.7 .
Duration of session :- 4 hrs (approx.)
Description : The session will deal with the secure practices of coding in JAVA. It will cover the various very basic concepts about secure coding (language independent) and then will explore the topics which are specific to JAVA.
1.Object oriented secure practices
2. Thread API
3. Thread Pools
5. Platform Security
6. Run Time Environment
In a nutshell: We will be looking at the code samples and we will be discussing on how we can secure that piece of code. Apart from that there will be some general guidelines on how we can improve the quality of code that we write.
What to expect :– You will have a better understanding of coding in JAVA which will help you to write a secure and optimized code. It will be an interactive session and I hope to learn from you as much as I deliver to you. We will be looking at code samples and very minimum code will be written by you in this session
What NOT to expect :This session won’t teach you the basics of JAVA.
Location: The selected participants would be informed about the location.
Bachaav sessions are free to attend but only with prior invitation. Participants will be selected based on how they fill the registration form. All applications are evaluated by the Bachaav Champion to select those who the Champion thinks will get the most from the session. Only selected applicants will be emailed further details. Even though we would like to get everyone to attend, sometimes the topic at hand requires extensive knowledge of the subject and this means that the Champion may not feel confident to have an applicant in the session.
If you have ever wondered about the security implications which lies beneath these quirky behaviors, this session is totally for you. Talking about client-side browser security for a whole day would be cool, but how about we make it more relevant to our day to day web applications?
The session would concentrate on
- Fixing browser based injection attacks like DOM XSS
- Sandboxing the DOM properties
- Implications of polluting the global namespace
- Thought process of bypassing an XSS filters and then fixing them
- Written a few basic web applications
Nafeez Ahamed works as a security engineer solving exciting and new problems in the security space. His areas of expertise include client-side security and network security. Most of his time is spent, trying to find new ways to defend things in the browser. He feels that defending anything is much harder than attacking, especially if you know what the sophisticated attackers are up to.
For more information about Bachaav Workshops you can visit here.
Introducing null “Bachaav” workshops.
With lot of “humla”s on-going and also in the line, we are pleased to start the new series in the defense category – “Bachaav”. “Bachaav” sessions will be purely oriented towards defending techniques against online attacks on different platforms, systems, etc. Mitigation against various specific attacks would be covered in this series.
On the same lines of humla sessions, “Bachaav” sessions would be free but with compulsory registrations. A group of participants will be selected based on the registrations since “Bachaav” is an invite only and with prior registration and approval of the “Bachaav” champion. Here are the details for our first “Bachaav” session.
Bachaav Title : Secure your WordPress
Bachaav Champion : Anant Shrivastava
When : 30th November 2013, 10 AM to 06 PM
Wordpress is one of the fastest growing, simple to configure CMS / blogging platform. However as with any popular project it comes with its own security cautions and configurational quirks.
This session will focus on “SECURE” setup and configuration of the WordPress platform with varied range of setup ranging from shared hosting to dedicated hosting provider.
Topics to be covered.
Varied platform (Shared, dedicated, cloud/vps)
limitations / benefits of each setup
Hardening of WordPress Setup.
Tips of Caution.
Linux command-line and knowledge of any dynamic scripting language preferably php.
Anant Shrivastava is Security Consultant, He started his career as a Linux Administrator. He holds a GWAPT, CEH, CSTP and RHCE. He has been speaker at various conferences like Nullcon, c0c0n, Clubhack, g0s. He maintains a website at http://www.anantshri.info
For more information about Bachaav Workshops you can visit here.
Bachaav (meaning defence in Hindi) is a completely hands-on workshop with the clear focus on learning the tools, techniques and approaches of defensive security using simulated servers and networks.
Bachaav is different from a normal null meet in its focus and duration. The focus is on learning specific tools and techniques and the duration is about 5-6 hours of hands-on work.
null Bachaav Basics
- null Bachaav events are invite only
Keeping them exclusive allows for keeping the logistics simple, the course content focussed and the interactions very engaging.
- null Bachaav events are completely hands-on
The idea is to learn defensive security, therefore everyone is expected to come prepared and do the hands-on in a group.
- null Bachaav events require you to get your laptop
There is no pairing up while doing hands-on. The point is to ensure that you actually get the practice while learning.
- null Bachaav events are about 5-6 hours
This is an ideal time to get all the people up to speed and comfortable. This amount of time allows for everyone to become comfortable with the topic at hand.
- A null Bachaav event is led by 1-2 champions in that particular topic
One or two hackers who have the experience and skills are assigned as Bachav Champions for a particular topic. They are completely responsible for the course content and ensuring that all the group members learn the concepts and the attacks.
null Bachaav MO
- Applications to take part will be invited from null members.
- The champions will select the ten best applications for the topic. This is based on the profile of the applicants and the champion’s discretion.
- Once selected the hackers will be informed and they need to come to the workshop with the required things like laptop etc.
null Bachaav Topics
The following are the some of the proposed Bachaav workshops. These may change based on availability of Bachaav Champions
- Securing Wordpres
- Securing a PHP MySQL based application and server
- 802.1x Authentication
- Getting beginners ready for Bachaav
New workshops will be announced on the null mailing list.